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(U) Terrorists Transit via Europe A 


(U) Communication 

• Transit Points 
(U) Partners 

• Second Party 

• Third Party 
(U) Relationships 

• eucom -r* 

• AFRICO|£ 

• CENTCOM 
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(U) Challenge: Integrating Tactical 

& National Collection 

• (C//FVEY) Collection with HF/ 
VHF/UHF 

- Digital packets 

- Analog comms 

- Noise issues, lack of experience with 
these types of signals 

• (C//FVEY) Tactical versus National 
(Strategic) Collection 

- RTRG 

- DISTILLERY 
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(U) Analytics for Targets in Europe 

(C//FVEY) OPSEC Sawy Targets 
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...most terrorists stop thru Europe" 


(TS//FVEY) Use advanced 



Steganography 

• Forensics or Analytics on front end 

Encryption 

• Takes time and has "black hole" issue 


Reliance on 




GCHQ and FAA 

Problems processing w/r to TS 

TOP SECRET7/SI//REL USA, FVEYS 



(U)Analyt' 

Intell 


(U) Human 
Trafficking 


(U) Weapons 


(U) Drug 
Smuggling 


(U) Biometrics 
& Elections 


(C//FVEY) 
Operations 
from Jordan to 
Syria in both 
directions; Sahel 



(C//FVEY) 
From Libya to 
Sahel 



(C//FVEY) 
Sahel and 
financing of 
terrorism; 
Balkans into 
Europe 

(C//FVEY) Used 
in Africa 



s for Identity 
gence 


Metadata for 
geolocation; 
content for 
confirmation 




Metadata for 
geolocation; 
content for 
confirmation 



Metadata for 
geolocation; 
content for 
confirmation 




Need collection 
assets 
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(U) Enrichment Sources 


(U) Air Breather, HF & UHF/VHF 
(C//FVEY) Big Pipe & FORNSAT 
(U) Military SIGINT Services 
(U//FOUO) Forensics 
(U) Third Party Sources 
(C//FVEY) Second Party 

• GCHQ is critical for mission 


v. 



QRC Package 



3rd Party Partner Sharing 
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Computer Forensics 


(U) Enrichment: SIGDEV & GCHQ QFDs 


Account Allocations by TOPI 
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March 2012 


(S//FVEY) 54% of current ECC DNI 
tasking based on QFD data 

(S//FVEY) QFDs provide better 
access to metadata for European & 
North African targets than any other 
access at ECC due to poor passive 
collection 

( C//FVEY) Flexibility provided by 
the use of TDIs and the first stage 
query allows for better target 
discovery and development 


Slide taken from ECC archives. 
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(U) Data Flow Integration is Constant Headache 


Access 
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(U) "Real Time" Analytics 



(U) Nascent Analytics with unclear definition of "real 
time" 

• How fast is alerting? 
(C//FVEY) DISTILLERY 

• Pulled from GHOSTMACHINE stack 
(U) NIAGARAFILES 

• File based 

• Starting to gain experience 
(C//FVEY) RTRG 

• Tools not integrated into ECC 

• Data Sets are sparse 

• Tactically oriented 

• Unregulated alerts can quickly spam user 
(C//FVEY) ECC Current Effort: 

• Focused on NTOC and Distributed Denial of 
Service attack alerting 

. TTgp»o TYTQTTT T FT?V 
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(U) Batch: MapReduce Analytics 



(U) Batch oriented versus streaming 

• Run every 1 5 min to once a day or so 

• Not streaming 
(U) Good Data Storage 

• Good access outward to MDR- 1 , MDR-2 

• Days to years of storage 

• Promotion (?) 

(U) Complex Analytics like "Pattern of Life" 

• Reasonable amount of processing cycles at the 
front end collection system (not yet tested) 

(U) Session can be quite long and still captured (not yet 
tested) 

(U) UUID's (identifying sessions) are workable 
(U) No experience yet sharing with second and third 
party partners 

(U) Unknown level of entry training required 
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(U) Xkeyscore Fingerprints 


(C//FVEY) Streaming 

• Data available one hour later? 

• Most do pulls up to yesterday 
(U) Good Data Storage 

• RAW content: 3 days to a couple of weeks 

• Metadata: 90+ days 

(U) Complex Analytics like "Pattern of Life" 

• Reasonable amount of processing cycles at the 
front end collection system 

(U) Session can be quite long and still captured 
(U) UUID's are workable 

(U) Good for sharing with second and third party 
(U) Relatively low level of entry training required 
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(U) Key Take Aways 


• (U//FOUO) Discovery in Africa is based on "we 
do not know what we do not see" 

- Unknown Unknown from url: https://wiki.nsa.ic.gov/ 
wiki/NTOC-Ediscoverytradecraft 

• (U) Europe has Opsec savvy CT targets 

• (U) Analytics involve partners 
-- 3rd Party in future 

• (U) Limited Resources: Processing Power & BW 
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NSA/CSS Europe & Africa 



QUESTIONS? 
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